mirror of
https://github.com/bitcoinbook/bitcoinbook
synced 2024-11-21 23:58:09 +00:00
1035 lines
54 KiB
Plaintext
1035 lines
54 KiB
Plaintext
[[c_signatures]]
|
||
== Digital Signatures
|
||
|
||
Two ((("digital signatures", "schnorr signature algorithm")))((("schnorr signature algorithm")))((("digital signatures", "ECDSA")))((("ECDSA (Elliptic Curve Digital Signature Algorithm)")))((("transactions", "signatures", see="digital signatures")))signature algorithms are currently
|
||
used in Bitcoin, the _schnorr signature algorithm_ and the _Elliptic
|
||
Curve Digital Signature Algorithm_ (_ECDSA_).
|
||
These algorithms are used for digital signatures based on elliptic
|
||
curve private/public key pairs, as described in <<elliptic_curve>>.
|
||
They are used for spending segwit v0 P2WPKH outputs, segwit v1 P2TR
|
||
keypath spending, and by the script functions +OP_CHECKSIG+,
|
||
+OP_CHECKSIGVERIFY+, +OP_CHECKMULTISIG+, [.keep-together]#+OP_CHECKMULTISIGVERIFY+,# and
|
||
+OP_CHECKSIGADD+.
|
||
Any time one of those is executed, a signature must be
|
||
provided.
|
||
|
||
A digital signature((("digital signatures", "purpose of"))) serves
|
||
three purposes in Bitcoin. First, the
|
||
signature proves that the controller of a private key, who is by
|
||
implication the owner of the funds, has _authorized_ the spending of
|
||
those funds. Secondly, the proof of authorization is _undeniable_
|
||
(nonrepudiation). Thirdly, that the authorized transaction cannot be
|
||
changed by unauthenticated third parties--that its _integrity_ is
|
||
intact.
|
||
|
||
[NOTE]
|
||
====
|
||
Each transaction input and any signatures it may contain is _completely_
|
||
independent of any other input or signature. Multiple parties can
|
||
collaborate to construct transactions and sign only one input each.
|
||
Several protocols use this fact to create multiparty transactions for
|
||
privacy.
|
||
====
|
||
|
||
In this chapter we look at how digital signatures work and how they can
|
||
present proof of control of a private key without revealing that private
|
||
key.
|
||
|
||
[role="less_space pagebreak-before"]
|
||
=== How Digital Signatures Work
|
||
|
||
A digital signature
|
||
consists of two parts. The first part is an algorithm for creating a
|
||
signature for a message (the transaction) using a private key (the
|
||
signing key). The second part is an algorithm
|
||
that allows anyone to verify the signature, given also the message and the corresponding
|
||
public key.
|
||
|
||
==== Creating a Digital Signature
|
||
|
||
In Bitcoin's((("digital signatures", "creating"))) use of digital signature algorithms, the "message" being
|
||
signed is the transaction, or more accurately a hash of a specific
|
||
subset of the data in the transaction, ((("commitment hash")))called the _commitment hash_ (see
|
||
<<sighash_types>>). The
|
||
signing key is the user's private key. The result is the signature:
|
||
|
||
[latexmath]
|
||
++++
|
||
\begin{equation}
|
||
Sig = F_{sig}(F_{hash}(m), x)
|
||
\end{equation}
|
||
++++
|
||
|
||
where:
|
||
|
||
* _x_ is the signing private key
|
||
* _m_ is the message to sign, the commitment hash (such as parts of a transaction)
|
||
* _F_~_hash_~ is the hashing function
|
||
* _F_~_sig_~ is the signing algorithm
|
||
* _Sig_ is the resulting signature
|
||
|
||
You can find more details on the mathematics of schnorr and ECDSA signatures in <<schnorr_signatures>>
|
||
and <<ecdsa_signatures>>.
|
||
|
||
In both schnorr and ECDSA signatures, the function _F_~_sig_~ produces a signature +Sig+ that is composed of
|
||
two values. There are differences between the two values in the
|
||
different algorithms, which we'll explore later. After the two values
|
||
are calculated, they are serialized into a byte stream. For ECDSA
|
||
signatures, the encoding uses an international standard encoding scheme
|
||
called the
|
||
_Distinguished Encoding Rules_, or _DER_. For schnorr signatures, a
|
||
simpler serialization format is used.
|
||
|
||
==== Verifying the Signature
|
||
|
||
The((("digital signatures", "verifying")))((("verifying", "digital signatures"))) signature verification algorithm takes the message (a hash of parts of the transaction and related data), the signer's public key and the signature, and returns ++TRUE++ if the signature is valid for this message and public key.
|
||
|
||
To verify the signature, one must have the signature, the serialized
|
||
transaction, some data about the output being spent, and the public key
|
||
that corresponds to the private key used to create the signature.
|
||
Essentially, verification of a signature means "Only the controller of
|
||
the private key that generated this public key could have produced this
|
||
signature on this transaction."
|
||
|
||
[[sighash_types]]
|
||
==== Signature Hash Types (SIGHASH)
|
||
|
||
Digital signatures((("digital signatures", "SIGHASH flags", id="digital-signature-sighash")))((("SIGHASH flags", id="sighash"))) apply to messages,
|
||
which in the case of Bitcoin, are the transactions themselves. The
|
||
signature proves a _commitment_ by the signer to specific transaction
|
||
data. In the simplest form, the signature applies to almost the entire
|
||
transaction, thereby committing to all the inputs, outputs, and other
|
||
transaction fields. However, a signature can commit to only a subset of
|
||
the data in a transaction, which is useful for a number of scenarios as
|
||
we will see in this section.
|
||
|
||
Bitcoin signatures have a way of indicating which
|
||
part of a transaction's data is included in the hash signed by the
|
||
private key using a +SIGHASH+ flag. The +SIGHASH+ flag is a single byte
|
||
that is appended to the signature. Every signature has either an
|
||
explicit or implicit +SIGHASH+ flag,
|
||
and the flag can be different from input to input. A transaction with
|
||
three signed inputs may have three signatures with different +SIGHASH+
|
||
flags, each signature signing (committing) to different parts of the
|
||
transaction.
|
||
|
||
Remember, each input may contain one or more signatures. As
|
||
a result, an input may have signatures
|
||
with different +SIGHASH+ flags that commit to different parts of the
|
||
transaction. Note also that Bitcoin transactions
|
||
may contain inputs from different "owners," who may sign only one input
|
||
in a partially constructed transaction, collaborating with
|
||
others to gather all the necessary signatures to make a valid
|
||
transaction. Many of the +SIGHASH+ flag types only make sense if you
|
||
think of multiple participants collaborating outside the Bitcoin network
|
||
and updating a partially signed transaction.
|
||
|
||
There are three +SIGHASH+ flags: +ALL+, +NONE+, and +SINGLE+, as shown
|
||
in <<sighash_types_and_their>>.
|
||
|
||
++++
|
||
<table id="sighash_types_and_their">
|
||
<caption>
|
||
<span class="plain"><code>SIGHASH</code></span> types and their meanings</caption>
|
||
<thead>
|
||
<tr>
|
||
<th><code>SIGHASH</code> flag</th>
|
||
<th>Value</th>
|
||
<th>Description</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td><p><code>ALL</code></p></td>
|
||
<td><p><code>0x01</code></p></td>
|
||
<td><p>Signature applies to all inputs and outputs</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td><p><code>NONE</code></p></td>
|
||
<td><p><code>0x02</code></p></td>
|
||
<td><p>Signature applies to all inputs, none of the outputs</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td><p><code>SINGLE</code></p></td>
|
||
<td><p><code>0x03</code></p></td>
|
||
<td><p>Signature applies to all inputs but only the one output with the same index number as the signed input</p></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
++++
|
||
|
||
In addition, there is a modifier flag, +SIGHASH_ANYONECANPAY+, which can
|
||
be combined with each of the preceding flags. When +ANYONECANPAY+ is
|
||
set, only one input is signed, leaving the rest (and their sequence
|
||
numbers) open for modification. The +ANYONECANPAY+ has the value +0x80+
|
||
and is applied by bitwise OR, resulting in the combined flags as shown
|
||
in <<sighash_types_with_modifiers>>.
|
||
|
||
[role="less_space pagebreak-before"]
|
||
++++
|
||
<table id="sighash_types_with_modifiers">
|
||
<caption>
|
||
<span class="plain"><code>SIGHASH</code></span> types with modifiers and their meanings</caption>
|
||
<thead>
|
||
<tr>
|
||
<th><code>SIGHASH</code> flag</th>
|
||
<th>Value</th>
|
||
<th>Description</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td><p><code>ALL|ANYONECANPAY</code></p></td>
|
||
<td><p><code>0x81</code></p></td>
|
||
<td><p>Signature applies to one input and all outputs</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td><p><code>NONE|ANYONECANPAY</code></p></td>
|
||
<td><p><code>0x82</code></p></td>
|
||
<td><p>Signature applies to one input, none of the outputs</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td><p><code>SINGLE|ANYONECANPAY</code></p></td>
|
||
<td><p><code>0x83</code></p></td>
|
||
<td><p>Signature applies to one input and the output with the same index number</p></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
++++
|
||
|
||
The way +SIGHASH+ flags are applied during signing and verification is
|
||
that a copy of the transaction is made and certain fields within are
|
||
either omitted or truncated (set to zero length and emptied). The resulting transaction is
|
||
serialized. The +SIGHASH+ flag is included in the serialized
|
||
transaction data and the result is hashed. The hash digest itself is the "message"
|
||
that is signed. Depending on which +SIGHASH+ flag is used, different
|
||
parts of the transaction are included.
|
||
By including the
|
||
+SIGHASH+ flag itself, the signature commits the
|
||
+SIGHASH+ type as well, so it can't be changed (e.g., by a miner).
|
||
|
||
In
|
||
<<serialization_of_signatures_der>>, we will see that the last part of the
|
||
DER-encoded signature was +01+, which is the +SIGHASH_ALL+ flag for ECDSA signatures. This
|
||
locks the transaction data, so Alice's signature is committing to the state
|
||
of all inputs and outputs. This is the most common signature form.
|
||
|
||
Let's look at some of the other +SIGHASH+ types and how they can be used
|
||
in practice:
|
||
|
||
+ALL|ANYONECANPAY+ :: This ((("crowdfunding")))construction can be used to make a
|
||
"crowdfunding”-style transaction. Someone attempting to raise
|
||
funds can construct a transaction with a single output. The single
|
||
output pays the "goal" amount to the fundraiser. Such a transaction is
|
||
obviously not valid, as it has no inputs. However, others can now amend
|
||
it by adding an input of their own as a donation. They sign their own
|
||
input with +ALL|ANYONECANPAY+. Unless enough inputs are gathered to
|
||
reach the value of the output, the transaction is invalid. Each donation
|
||
is a "pledge," which cannot be collected by the fundraiser until the
|
||
entire goal amount is raised. Unfortunately, this protocol can be
|
||
circumvented by the fundraiser adding an input of their own (or from
|
||
someone who lends them funds), allowing them to collect the donations
|
||
even if they haven't reached the specified value.
|
||
|
||
+NONE+ :: This construction can be used to create a "bearer check" or
|
||
"blank check" of a specific amount. It commits to all inputs but allows
|
||
the outputs to be changed. Anyone can write their own
|
||
Bitcoin address into the output script.
|
||
By itself, this allows any miner to change
|
||
the output destination and claim the funds for themselves, but if other
|
||
required signatures in the transaction use +SIGHASH_ALL+ or another type
|
||
that commits to the output, it allows those spenders to change the
|
||
destination without allowing any third parties (like miners) to modify
|
||
the outputs.
|
||
|
||
+NONE|ANYONECANPAY+ :: This construction can be used to build a "dust
|
||
collector." Users who have tiny UTXOs in their wallets can't spend these
|
||
without the cost in fees exceeding the value of the UTXO; see
|
||
<<uneconomical_outputs>>. With this type
|
||
of signature, the uneconomical UTXOs can be donated for anyone to aggregate and
|
||
spend whenever they want.
|
||
|
||
There are some proposals to modify or
|
||
expand the +SIGHASH+ system. The most widely discussed proposal as of
|
||
this writing is ((("BIP118 SIGHASH flags")))BIP118, which proposes to add two
|
||
new sighash flags. A signature using +SIGHASH_ANYPREVOUT+ would not
|
||
commit to an input's outpoint field, allowing it to be used to spend any
|
||
previous output for a particular witness program. For example, if Alice
|
||
receives two outputs for the same amount to the same witness program
|
||
(e.g., requiring a single signature from her wallet), a
|
||
+SIGHASH_ANYPREVOUT+ signature for spending either one of those outputs
|
||
could be copied and used to spend the other output to the same
|
||
destination.
|
||
|
||
A signature using +SIGHASH_ANYPREVOUTANYSCRIPT+ would not
|
||
commit to the outpoint, the amount, the witness program, or the
|
||
specific leaf in the taproot merkle tree (script tree), allowing it to spend any previous output that the signature could satisfy. For example, if Alice received two
|
||
outputs for different amounts and different witness programs (e.g., one
|
||
requiring a single signature and another requiring her signature plus some
|
||
other data), a +SIGHASH_ANYPREVOUTANYSCRIPT+ signature for spending
|
||
either one of those outputs could be copied and used to spend the other
|
||
output to the same destination (assuming the extra data for the second
|
||
output was known).
|
||
|
||
The main expected use for the two ++SIGHASH_ANYPREVOUT++ opcodes is improved
|
||
payment channels, such as those used in the Lightning Network (LN), although
|
||
several other uses have been described.
|
||
|
||
[NOTE]
|
||
====
|
||
You will not often see +SIGHASH+ flags presented as an option in a user's
|
||
wallet application. Simple wallet applications
|
||
sign with [.keep-together]#+SIGHASH_ALL+# flags. More sophisticated applications, such as
|
||
LN nodes, may use alternative +SIGHASH+ flags, but they
|
||
use protocols that have been extensively reviewed to understand the
|
||
influence of the alternative ((("digital signatures", "SIGHASH flags", startref="digital-signature-sighash")))((("SIGHASH flags", startref="sighash")))flags.
|
||
====
|
||
|
||
[[schnorr_signatures]]
|
||
=== Schnorr Signatures
|
||
|
||
In 1989, ((("digital signatures", "schnorr signature algorithm", id="digital-sigs-schnorr")))((("schnorr signature algorithm", id="schnorr")))Claus Schnorr published a paper describing the signature
|
||
algorithm that's become eponymous with him. The algorithm isn't
|
||
specific to the elliptic curve cryptography (ECC) that Bitcoin and many
|
||
other applications use, although it is perhaps most strongly associated
|
||
with ECC today. Schnorr signatures have a number of nice properties:
|
||
|
||
Provable security::
|
||
A mathematical ((("digital signatures", "schnorr signature algorithm", "properties of")))((("schnorr signature algorithm", "properties of")))proof of the security of schnorr signatures depends on
|
||
only the difficulty of solving the Discrete Logarithm Problem (DLP),
|
||
particularly for elliptic curves (EC) for Bitcoin, and the ability of
|
||
a hash function (like the SHA256 function used in Bitcoin) to produce
|
||
unpredictable values, called the random oracle model (ROM). Other
|
||
signature algorithms have additional dependencies or require much
|
||
larger public keys or signatures for equivalent security to
|
||
ECC-Schnorr (when the threat is defined as classical computers; other
|
||
algorithms may provide more efficient security against quantum
|
||
computers).
|
||
|
||
Linearity::
|
||
Schnorr signatures have a property that mathematicians ((("linearity")))call
|
||
_linearity_, which applies to functions with two particular
|
||
properties. The first property is that summing together two or more
|
||
variables and then running a function on that sum will produce the
|
||
same value as running the function on each of the variables
|
||
independently and then summing together the results, e.g.,
|
||
_f(x_ + _y_ + _z)_ == _f(x)_ + _f(y)_ + _f(z)_; this property is((("additivity"))) called
|
||
_additivity_. The second property is that multiplying a variable and
|
||
then running a function on that product will produce the same value as
|
||
running the function on the variable and then multiplying it by the
|
||
same amount, e.g., _f(a_ × _x)_ == _a_ × _f(x)_; this property is ((("homogeneity of degree 1")))called
|
||
_homogeneity of degree 1_.
|
||
+
|
||
In cryptographic operations, some functions may be private (such
|
||
as functions involving private keys or secret nonces), so being able
|
||
to get the same result whether performing an operation inside or
|
||
outside of a function makes it easy for multiple parties to coordinate
|
||
and cooperate without sharing their secrets. We'll see some of the
|
||
specific benefits of linearity in schnorr signatures in
|
||
<<schnorr_multisignatures>> and <<schnorr_threshold_signatures>>.
|
||
|
||
Batch verification::
|
||
When used((("batch verification of digital signatures"))) in a certain way (which Bitcoin does), one consequence of
|
||
schnorr's linearity is that it's relatively straightforward to verify
|
||
more than one schnorr signature at the same time in less time than it
|
||
would take to verify each signature independently. The more
|
||
signatures that are verified in a batch, the greater the speed up.
|
||
For the typical number of signatures in a block, it's possible to
|
||
batch verify them in about half the amount of time it would take to
|
||
verify each signature independently.
|
||
|
||
Later in this chapter, we'll describe the schnorr signature algorithm
|
||
exactly as it's used in Bitcoin, but we're going to start with a
|
||
simplified version of it and work our way toward the actual protocol in
|
||
stages.
|
||
|
||
[role="less_space pagebreak-before"]
|
||
Alice((("digital signatures", "schnorr signature algorithm", "examples of usage")))((("schnorr signature algorithm", "examples of usage"))) starts by choosing a large random number (_x_), which we call her
|
||
_private key_. She also knows a public point on Bitcoin's elliptic
|
||
curve called the Generator (_G_) (see <<public_key_derivation>>). Alice uses EC
|
||
multiplication to multiply _G_ by her private key _x_, in which case _x_
|
||
is called a _scalar_ because it scales up _G_. The result is _xG_,
|
||
which we call Alice's _public key_. Alice gives her public key to Bob.
|
||
Even though Bob also knows _G_, the DLP prevents Bob from being able to divide _xG_ by _G_ to derive Alice's
|
||
private key.
|
||
|
||
At some later time, Bob wants Alice to identify herself by proving
|
||
that she knows the scalar _x_ for the public key (_xG_) that Bob
|
||
received earlier. Alice can't give Bob _x_ directly because that would
|
||
allow him to identify as her to other people, so she needs to prove
|
||
her knowledge of _x_ without revealing _x_ to Bob,((("zero-knowledge proof"))) called a
|
||
_zero-knowledge proof_. For that, we begin the schnorr identity
|
||
process:
|
||
|
||
1. Alice chooses another large random number (_k_), which we call the
|
||
_private nonce_. Again she uses it as a scalar, multiplying it by _G_
|
||
to produce _kG_, which we call the _public nonce_. She gives the
|
||
public nonce to Bob.
|
||
|
||
2. Bob chooses a large random number of his own, _e_, which we call the
|
||
_challenge scalar_. We say "challenge" because it's used to challenge
|
||
Alice to prove that she knows the private key (_x_) for the public key
|
||
(_xG_) she previously gave Bob; we say "scalar" because it will later
|
||
be used to multiply an EC point.
|
||
|
||
3. Alice now has the numbers (scalars) _x_, _k_, and _e_. She combines
|
||
them together to produce a final scalar _s_ using the formula
|
||
_s_ = _k_ + _ex_. She gives _s_ to Bob.
|
||
|
||
4. Bob now knows the scalars _s_ and _e_, but not _x_ or _k_. However,
|
||
Bob does know _xG_ and _kG_, and he can compute for himself _sG_ and
|
||
_exG_. That means he can check the equality of a scaled-up version of
|
||
the operation Alice performed: [.keep-together]#_sG_ == _kG_ + _exG_.# If that is equal,
|
||
then Bob can be sure that Alice knew _x_ when she generated _s_.
|
||
|
||
.Schnorr Identity Protocol with Integers Instead of Points
|
||
****
|
||
It might be easier to understand the interactive schnorr identity
|
||
protocol if we create an insecure oversimplification by substituting each of the preceding values (including _G_) with simple integers instead of points on an elliptic curve.
|
||
For example, we'll use the prime numbers starting with 3:
|
||
|
||
Setup: Alice chooses _x_ = 3 as her private key. She multiplies it by the
|
||
generator _G_ = 5 to get her public key _xG_ = 15. She gives Bob 15.
|
||
|
||
1. Alice chooses the private nonce _k_ = 7 and generates the public nonce
|
||
_kG_ = 35. She gives Bob 35.
|
||
|
||
2. Bob chooses _e_ = 11 and gives it to Alice.
|
||
|
||
3. Alice generates _s_ = 40 = 7 + 11 × 3. She gives Bob 40.
|
||
|
||
4. Bob derives _sG_ = 200 = 40 × 5 and _exG_ = 165 = 11 × 15. He then
|
||
verifies that [.keep-together]#200 == 35 + 165.# Note that this is the same operation
|
||
that Alice performed, but all of the values have been scaled up by 5
|
||
(the value of _G_).
|
||
|
||
Of course, this is an oversimplified example. When working with simple
|
||
integers, we can divide products by the generator _G_ to get the
|
||
underlying scalar, which isn't secure. This is why a critical property
|
||
of the elliptic curve cryptography used in Bitcoin is that
|
||
multiplication is easy but division by a point on the curve is impractical. Also, with numbers
|
||
this small, finding underlying values (or valid substitutes) through
|
||
brute force is easy; the numbers used in Bitcoin are much larger.
|
||
****
|
||
|
||
Let's discuss some of the features of the interactive schnorr
|
||
identity protocol that make it secure:
|
||
|
||
The nonce (k)::
|
||
In step 1, ((("digital signatures", "schnorr signature algorithm", "security features")))((("schnorr signature algorithm", "security features")))Alice chooses a number that Bob doesn't
|
||
know and can't guess and gives him the scaled form of that number,
|
||
_kG_. At that point, Bob also already has her public key (_xG_),
|
||
which is the scaled form of _x_, her private key. That means when Bob is working on
|
||
the final equation (_sG_ = _kG_ + _exG_), there are two independent
|
||
variables that Bob doesn't know (_x_ and _k_). It's possible to use
|
||
simple algebra to solve an equation with one unknown variable but not
|
||
two independent unknown variables, so the presence of Alice's nonce
|
||
prevents Bob from being able to derive her private key. It's critical
|
||
to note that this protection depends on nonces being unguessable in
|
||
any way. If there's anything predictable about Alice's nonce, Bob may
|
||
be able to leverage that into figuring out Alice's private key. See
|
||
<<nonce_warning>> for more details.
|
||
|
||
The challenge scalar (e)::
|
||
Bob waits to receive Alice's public nonce
|
||
and then proceeds in step 2 to give her a number (the challenge
|
||
scalar) that Alice didn't previously know and couldn't have guessed.
|
||
It's critical that Bob only give her the challenge scalar after she
|
||
commits to her public nonce. Consider what could happen if someone
|
||
who didn't know _x_ wanted to impersonate Alice, and Bob accidentally
|
||
gave them the challenge scalar _e_ before they told him the public
|
||
nonce _kG_. This allows the impersonator to change parameters on both sides of
|
||
the equation that Bob will use for verification, _sG_ == _kG_ + _exG_;
|
||
specifically, they can change both _sG_ and _kG_. Think about a
|
||
simplified form of that expression: _x_ = _y_ + _a_. If you can change both
|
||
_x_ and _y_, you can cancel out _a_ using _x_++'++ = (_x_ – _a_) + _a_. Any
|
||
value you choose for _x_ will now satisfy the equation. For the
|
||
actual equation the impersonator simply chooses a random number for _s_, generates
|
||
_sG_, and then uses EC subtraction to select a _kG_ that equals _kG_ =
|
||
_sG_ – _exG_. They give Bob their calculated _kG_ and later their random
|
||
_sG_, and Bob thinks that's valid because [.keep-together]#_sG_ == (_sG_ – _exG_)# + _exG_.
|
||
This explains why the order of operations in the protocol is
|
||
essential: Bob must only give Alice the challenge scalar after Alice
|
||
has committed to her public nonce.
|
||
|
||
++++
|
||
<p class="fix_tracking">
|
||
The interactive identity protocol described here matches part of Claus
|
||
Schnorr's original description, but it lacks two essential features we
|
||
need for the decentralized Bitcoin network. The first of these is that
|
||
it relies on Bob waiting for Alice to commit to her public nonce and
|
||
then Bob giving her a random challenge scalar. In Bitcoin, the spender
|
||
of every transaction needs to be authenticated by thousands of Bitcoin
|
||
full nodes—including future nodes that haven't been started yet but
|
||
whose operators will one day want to ensure the bitcoins they receive
|
||
came from a chain of transfers where every transaction was valid. Any
|
||
Bitcoin node that is unable to communicate with Alice, today or in the
|
||
future, will be unable to authenticate her transaction and will be in
|
||
disagreement with every other node that did authenticate it. That's not
|
||
acceptable for a consensus system like Bitcoin. For Bitcoin to work, we
|
||
need a protocol that doesn't require interaction between Alice and each
|
||
node that wants to authenticate her.
|
||
</p>
|
||
++++
|
||
|
||
A simple technique, known as the Fiat-Shamir transform after its
|
||
discoverers, can turn the schnorr interactive identity protocol
|
||
into a noninteractive digital signature scheme. Recall the importance
|
||
of steps 1 and 2--including that they be performed in order. Alice must
|
||
commit to an unpredictable nonce; Bob must give Alice an unpredictable
|
||
challenge scalar only after he has received her commitment. Recall also
|
||
the properties of secure cryptographic hash functions we've used
|
||
elsewhere in this book: it will always produce the same output when
|
||
given the same input but it will produce a value indistinguishable from
|
||
random data when given a different input.
|
||
|
||
This allows Alice to choose her private nonce, derive her public nonce,
|
||
and then hash the public nonce to get the challenge scalar. Because
|
||
Alice can't predict the output of the hash function (the challenge), and
|
||
because it's always the same for the same input (the nonce), this
|
||
ensures that Alice gets a random challenge even though she chooses the nonce
|
||
and hashes it herself. We no longer need interaction from Bob. She can
|
||
simply publish her public nonce _kG_ and the scalar _s_, and each of the
|
||
thousands of full nodes (past and future) can hash _kG_ to produce _e_,
|
||
use that to produce _exG_, and then verify _sG_ == _kG_ + _exG_. Written
|
||
explicitly, the verification equation becomes [.keep-together]#_sG_ == _kG_ + _hash_(_kG_) × _xG_.#
|
||
|
||
We need one other thing to finish converting the interactive schnorr
|
||
identity protocol into a digital signature protocol useful for
|
||
Bitcoin. We don't just want Alice to prove that she knows her private
|
||
key; we also want to give her the ability to commit to a message. Specifically,
|
||
we want her to commit to the data related to the Bitcoin transaction she
|
||
wants to send. With the Fiat-Shamir transform in place, we already
|
||
have a commitment, so we can simply have it additionally commit to the
|
||
message. Instead of _hash_(_kG_), we now also commit to the message
|
||
_m_ using _hash_(_kG_ || _m_), where || stands for concatenation.
|
||
|
||
We've now defined a version of the schnorr signature protocol, but
|
||
there's one more thing we need to do to address a Bitcoin-specific
|
||
concern. In BIP32 key derivation, as described in
|
||
<<public_child_key_derivation>>, the algorithm for unhardened derivation
|
||
takes a public key and adds to it a nonsecret value to produce a
|
||
derived public key. That means it's also possible to add that
|
||
nonsecret value to a valid signature for one key to produce a signature
|
||
for a related key. That related signature is valid but it wasn't
|
||
authorized by the person possessing the private key, which is a major
|
||
security failure. To protect BIP32 unhardened derivation and
|
||
also support several protocols people wanted to build on top of schnorr
|
||
signatures, Bitcoin's version of schnorr signatures, called _BIP340
|
||
schnorr signatures for secp256k1_, also commits to the public key being
|
||
used in addition to the public nonce and the message. That makes the
|
||
full commitment _hash_(_kG_ || _xG_ || _m_).
|
||
|
||
Now that we've described each part of the BIP340 schnorr signature
|
||
algorithm and explained what it does for us, we can define the protocol.
|
||
Multiplication of integers are performed _modulus p_, indicating that the
|
||
result of the operation is divided by the number _p_ (as defined in the
|
||
secp256k1 standard) and the remainder is used. The number _p_ is very
|
||
large, but if it was 3 and the result of an operation was 5, the actual
|
||
number we would use is 2 (i.e., 5 divided by 3 has a remainder of 2).
|
||
|
||
Setup: Alice chooses a large random number (_x_) as her private key
|
||
(either directly or by using a protocol like BIP32 to deterministically
|
||
generate a private key from a large random seed value). She uses the
|
||
parameters defined in secp256k1 (see <<elliptic_curve>>) to multiply the
|
||
generator _G_ by her scalar _x_, producing _xG_ (her public key). She
|
||
gives her public key to everyone who will later authenticate her Bitcoin
|
||
transactions (e.g., by having _xG_ included in a transaction output). When
|
||
she's ready to spend, she begins generating her signature:
|
||
|
||
1. Alice chooses a large random private nonce _k_ and derives the public
|
||
nonce _kG_.
|
||
|
||
2. She chooses her message _m_ (e.g., transaction data) and generates the
|
||
challenge scalar _e_ = _hash_(_kG_ || _xG_ || _m_).
|
||
|
||
3. She produces the scalar _s_ = _k_ + _ex_. The two values _kG_ and _s_
|
||
are her signature. She gives this signature to everyone who wants to
|
||
verify that signature; she also needs to ensure everyone receives her
|
||
message _m_. In Bitcoin, this is done by including her signature in
|
||
the witness structure of her spending transaction and then relaying that
|
||
transaction to full nodes.
|
||
|
||
4. The verifiers (e.g., full nodes) use _s_ to derive _sG_ and then
|
||
verify that _sG_ == _kG_ + _hash_(_kG_ || _xG_ || _m_) × _xG_. If the equation is
|
||
valid, Alice proved that she knows her private key _x_ (without
|
||
revealing it) and committed to the message _m_ (containing the
|
||
transaction data).
|
||
|
||
==== Serialization of Schnorr Signatures
|
||
|
||
A schnorr signature ((("digital signatures", "schnorr signature algorithm", "serialization")))((("schnorr signature algorithm", "serialization")))((("serialization", "of schnorr signature algorithm", secondary-sortas="schnorr")))consists of two values, _kG_ and _s_. The value
|
||
_kG_ is a point on Bitcoin's elliptic curve (called secp256k1) and would normally be represented by two 32-byte coordinates, e.g., (_x_, _y_).
|
||
However, only the _x_ coordinate is needed, so only that value is
|
||
included. When you see _kG_ in schnorr signatures for Bitcoin, note that it's only that point's _x_
|
||
coordinate.
|
||
|
||
The value _s_ is a scalar (a number meant to multiply other numbers). For
|
||
Bitcoin's secp256k1 curve, it can never be more than 32 bytes long.
|
||
|
||
Although both _kG_ and _s_ can sometimes be values that can be
|
||
represented with fewer than 32 bytes, it's improbable that they'd be
|
||
much smaller than 32 bytes, so they're serialized as two 32-byte
|
||
values (i.e., values smaller than 32 bytes have leading zeros).
|
||
They're serialized in the order of _kG_ and then _s_, producing exactly
|
||
64 bytes.
|
||
|
||
The taproot soft fork, also called v1 segwit, introduced schnorr signatures
|
||
to Bitcoin and is the only way they are used in Bitcoin as of this writing. When
|
||
used with either taproot keypath or scriptpath spending, a 64-byte
|
||
schnorr signature is considered to use a default signature hash (sighash)
|
||
that is +SIGHASH_ALL+. If an alternative sighash is used, or if the
|
||
spender wants to waste space to explicitly specify +SIGHASH_ALL+, a
|
||
single additional byte is appended to the signature that specifies the
|
||
signature hash, making the signature 65 bytes.
|
||
|
||
As we'll see, either 64 or 65 bytes is considerably more efficient that
|
||
the serialization used for ECDSA signatures described in
|
||
<<serialization_of_signatures_der>>.
|
||
|
||
[[schnorr_multisignatures]]
|
||
==== Schnorr-based Scriptless Multisignatures
|
||
|
||
In the((("digital signatures", "schnorr signature algorithm", "scriptless multisignatures", id="digital-sigs-schnorr-multisig")))((("schnorr signature algorithm", "scriptless multisignatures", id="schnorr-multisig")))((("scriptless multisignatures", "in schnorr signature algorithm", secondary-sortas="schnorr", id="scriptless-multi-schnorr")))((("multisignature scripts", "in schnorr signature algorithm", secondary-sortas="schnorr", id="multi-script-schnorr"))) single-signature schnorr protocol described in <<schnorr_signatures>>, Alice
|
||
uses a signature (_kG_, _s_) to publicly prove her knowledge of her
|
||
private key, which in this case we'll call _y_. Imagine if Bob also has
|
||
a private key (_z_) and he's willing to work with Alice to prove that
|
||
together they know _x_ = _y_ + _z_ without either of them revealing their
|
||
private key to each other or anyone else. Let's go through the BIP340
|
||
schnorr signature protocol again.
|
||
|
||
[WARNING]
|
||
====
|
||
The simple protocol we are about to describe is not secure for the
|
||
reasons we will explain shortly. We use it only to demonstrate the
|
||
mechanics of schnorr multisignatures before describing related protocols
|
||
that are believed to be secure.
|
||
====
|
||
|
||
Alice and Bob need to derive the public key for _x_, which is _xG_.
|
||
Since it's possible to use elliptic curve operations to add two EC
|
||
points together, they start by Alice deriving _yG_ and Bob deriving
|
||
_zG_. They then add them together to create [.keep-together]#_xG_ = _yG_ + _zG_.# The point
|
||
_xG_ is ((("aggregated public keys")))((("public keys", "aggregated")))their _aggregated public key_. To create a signature, they begin the
|
||
simple multisignature protocol:
|
||
|
||
1. They each individually choose a large random private nonce, _a_ for
|
||
Alice and _b_ for Bob. They also individually derive the corresponding
|
||
public nonce _aG_ and _bG_. Together, they produce an aggregated
|
||
public nonce _kG_ = _aG_ + _bG_.
|
||
|
||
2. They agree on the message to sign, _m_ (e.g., a transaction), and
|
||
each generates a copy of the challenge scalar: _e_ = _hash_(_kG_ || _xG_ || _m_).
|
||
|
||
3. Alice produces the scalar _q_ = _a_ + _ey_. Bob produces the scalar
|
||
_r_ = _b_ + _ez_. They add the scalars together to produce
|
||
_s_ = _q_ + _r_. Their signature is the two values _kG_ [.keep-together]#and _s_.#
|
||
|
||
4. The verifiers check their public key and signature using the normal
|
||
equation: [.keep-together]#_sG_ ==# _kG_ + _hash_(_kG_ || _xG_ || _m_) × _xG_.
|
||
|
||
Alice and Bob have proven that they know the sum of their private keys without
|
||
either one of them revealing their private key to the other or anyone
|
||
else. The protocol can be extended to any number of participants (e.g.,
|
||
a million people could prove they knew the sum of their million
|
||
different keys).
|
||
|
||
The preceding protocol has several security problems. Most notable is that one
|
||
party might learn the public keys of the other parties before committing
|
||
to their own public key. For example, Alice generates her public key
|
||
_yG_ honestly and shares it with Bob. Bob generates his public key
|
||
using _zG_ – _yG_. When their two keys are combined [.keep-together]#(_yG_ + _zG_ – _yG_),# the
|
||
positive and negative _yG_ terms cancel out so the public key only represents
|
||
the private key for _z_ (i.e., Bob's private key). Now Bob can create a
|
||
valid signature without any assistance from Alice. This is ((("key cancellation attacks")))called a
|
||
_key cancellation attack_.
|
||
|
||
There are various ways to solve the key cancellation attack. The
|
||
simplest scheme would be to require each participant commit to their
|
||
part of the public key before sharing anything about that key with all
|
||
of the other participants. For example, Alice and Bob each individually
|
||
hash their public keys and share their digests with each other. When
|
||
they both have the other's digest, they can share their keys. They
|
||
individually check that the other's key hashes to the previously
|
||
provided digest and then proceed with the protocol normally. This prevents
|
||
either one of them from choosing a public key that cancels out the keys
|
||
of the other participants. However, it's easy to fail to implement this
|
||
scheme correctly, such as using it in a naive way with unhardened
|
||
BIP32 public key derivation. Additionally, it adds an extra step for
|
||
communication between the participants, which may be undesirable in many
|
||
cases. More complex schemes have been proposed that address these
|
||
shortcomings.
|
||
|
||
In addition to the key cancellation attack, there are a number of
|
||
attacks possible against ((("nonce attacks")))nonces. Recall that the purpose of the nonce
|
||
is to prevent anyone from being able to use their knowledge of other values
|
||
in the signature verification equation to solve for your private key,
|
||
determining its value. To effectively accomplish that, you must use a
|
||
different nonce every time you sign a different message or change other
|
||
signature parameters. The different nonces must not be related in any
|
||
way. For a multisignature, every participant must follow these rules or
|
||
it could compromise the security of other participants. In addition,
|
||
cancellation and other attacks need to be prevented. Different
|
||
protocols that accomplish these aims make different trade-offs, so
|
||
there's no single multisignature protocol to recommend in all cases.
|
||
Instead, we'll note three from the MuSig family of protocols:
|
||
|
||
MuSig::
|
||
Also called _MuSig1_, this protocol((("MuSig protocol"))) requires three rounds of
|
||
communication during the signing process, making it similar to the
|
||
process we just described. MuSig1's greatest advantage is its
|
||
simplicity.
|
||
|
||
MuSig2::
|
||
This only ((("MuSig2 protocol")))requires two rounds of communication and can sometimes allow
|
||
one of the rounds to be combined with key exchange. This can
|
||
significantly speed up signing for certain protocols, such as how
|
||
scriptless multisignatures are planned to be used in the LN. MuSig2 is specified in BIP327 (the only scriptless
|
||
multisignature protocol that has a BIP as of this writing).
|
||
|
||
MuSig-DN::
|
||
DN stands ((("MuSig-DN protocol")))((("repeated session attacks")))for Deterministic Nonce, which eliminates as a concern a
|
||
problem known as the _repeated session attack_. It can't be combined
|
||
with key exchange and it's significantly more complex to implement
|
||
than MuSig or MuSig2.
|
||
|
||
For most applications, MuSig2 is the best multisignature protocol
|
||
available at the time((("digital signatures", "schnorr signature algorithm", "scriptless multisignatures", startref="digital-sigs-schnorr-multisig")))((("schnorr signature algorithm", "scriptless multisignatures", startref="schnorr-multisig")))((("scriptless multisignatures", "in schnorr signature algorithm", secondary-sortas="schnorr", startref="scriptless-multi-schnorr")))((("multisignature scripts", "in schnorr signature algorithm", secondary-sortas="schnorr", startref="multi-script-schnorr"))) of writing.
|
||
|
||
[[schnorr_threshold_signatures]]
|
||
==== Schnorr-based Scriptless Threshold Signatures
|
||
|
||
Scriptless ((("digital signatures", "schnorr signature algorithm", "scriptless threshold signatures", id="digital-sigs-schnorr-threshold")))((("schnorr signature algorithm", "scriptless threshold signatures", id="schnorr-threshold")))((("scriptless threshold signatures", id="scriptless-threshold-schnorr")))((("threshold signatures", "in schnorr signature algorithm", secondary-sortas="schnorr", id="threshold-schnorr")))multisignature protocols only work for _k_-of-_k_ signing.
|
||
Everyone with a partial public key that becomes part of the aggregated
|
||
public key must contribute a partial signature and partial nonce to the
|
||
final signature. Sometimes, though, the participants want to allow a
|
||
subset of them to sign, such as _t_-of-_k_ where a threshold (_t_) number of participants can sign for
|
||
a key constructed by _k_ participants. That type of signature is called a
|
||
_threshold signature_.
|
||
|
||
We saw script-based threshold signatures in
|
||
<<multisig>>. But just as
|
||
scriptless multisignatures save space and increase privacy compared to
|
||
scripted multisignatures, _scriptless threshold signatures_ save space and
|
||
increase privacy compared to _scripted threshold signatures_. To anyone
|
||
not involved in the signing, a _scriptless threshold signature_ looks
|
||
like any other signature that could've been created by a single-sig
|
||
user or through a scriptless multisignature protocol.
|
||
|
||
Various methods are known for generating scriptless threshold
|
||
signatures, with the simplest being a slight modification of how we
|
||
created scriptless multisignatures previously. This protocol also
|
||
depends on verifiable secret sharing (which itself depends on secure
|
||
secret sharing).
|
||
|
||
Basic secret sharing can work through simple splitting. Alice has a
|
||
secret number that she splits into three equal-length parts and shares
|
||
with Bob, Carol, and Dan. Those three can combine the partial numbers
|
||
they received (called _shares_) in the correct order to reconstruct
|
||
Alice's secret. A more sophisticated scheme would involve Alice adding
|
||
on some additional information to each share, called a correction code,
|
||
that allows any two of them to recover the number. This scheme is not
|
||
secure because each share gives its holder partial knowledge of Alice's
|
||
secret, making it easier for the participant to guess Alice's secret
|
||
than a nonparticipant who didn't have a share.
|
||
|
||
A secure secret sharing scheme prevents participants from learning
|
||
anything about the secret unless they combine the minimum threshold
|
||
number of shares. For example, Alice can choose a threshold of
|
||
2 if she wants any two of Bob, Carol, and Dan to be able to
|
||
reconstruct her secret. The best known secure secret sharing algorithm
|
||
is _Shamir's Secret Sharing Scheme_, commonly abbreviated SSSS and named
|
||
after its discoverer, one of the same discoverers of the Fiat-Shamir
|
||
transform we saw in <<schnorr_signatures>>.
|
||
|
||
In some cryptographic protocols, such as the scriptless threshold signature
|
||
schemes we're working toward, it's critical for Bob, Carol, and Dan to
|
||
know that Alice followed her side of the protocol correctly. They need to
|
||
know that the shares she creates all derive from the same secret, that
|
||
she used the threshold value she claims, and that she gave each one of
|
||
them a different share. A protocol that can accomplish all of that,
|
||
and still be a secure secret sharing scheme, is a _verifiable secret
|
||
sharing scheme_.
|
||
|
||
To see how multisignatures and verifiable secret sharing work for
|
||
Alice, Bob, and Carol, imagine they each wish to receive funds that can
|
||
be spent by any two of them. They collaborate as described in
|
||
<<schnorr_multisignatures>> to produce a regular multisignature public
|
||
key to accept the funds (k-of-k). Then each participant derives two
|
||
secret shares from their private key--one for each of two the other
|
||
participants. The shares allow any two of them to reconstruct the
|
||
originating partial private key for the multisignature. Each participant
|
||
distributes one of their secret shares to the other two participants,
|
||
resulting in each participant storing their own partial private key and
|
||
one share for every other participant. Subsequently, each participant
|
||
verifies the authenticity and uniqueness of the shares they received
|
||
compared to the shares given to the other participants.
|
||
|
||
Later on, when (for example) Alice and Bob want to generate a scriptless
|
||
threshold signature without Carol's involvement, they exchange the two
|
||
shares they possess for Carol. This enables them to reconstruct Carol's
|
||
partial private key. Alice and Bob also have their private keys,
|
||
allowing them to create a scriptless multisignature with all three
|
||
necessary keys.
|
||
|
||
In other words, the scriptless threshold signature scheme just described
|
||
is the same as a scriptless multisignature scheme except that
|
||
a threshold number of participants have the ability to reconstruct the
|
||
partial private keys of any other participants who are unable or
|
||
unwilling to sign.
|
||
|
||
This does point to a few things to be aware about when considering a
|
||
scriptless threshold signature protocol:
|
||
|
||
No accountability::
|
||
Because Alice and Bob reconstruct Carol's partial
|
||
private key, there can be no fundamental difference between a scriptless
|
||
multisignature produced by a process that involved Carol and one that
|
||
didn't. Even if Alice, Bob, or Carol claim that they didn't sign,
|
||
there's no guaranteed way for them to prove that they didn't
|
||
help produce the signature. If it's important to know which members of
|
||
the group signed, you will need to use a script.
|
||
|
||
Manipulation attacks::
|
||
Imagine that Bob tells Alice that Carol is
|
||
unavailable, so they work together to reconstruct Carol's partial
|
||
private key. Then Bob tells Carol that Alice is unavailable, so they
|
||
work together to reconstruct Alice's partial private key. Now Bob has
|
||
his own partial private key plus the keys of Alice and Carol, allowing
|
||
him to spend the funds himself without their involvement. This attack can
|
||
be addressed if all of the participants agree to only communicate using a
|
||
scheme that allows any one of them to see all of the other's messages
|
||
(e.g., if Bob tells Alice that Carol is unavailable, Carol is able to see
|
||
that message before she begins working with Bob). Other solutions,
|
||
possibly more robust solutions, to this problem were being researched at
|
||
the time of writing.
|
||
|
||
No scriptless threshold signature protocol has been proposed as a BIP
|
||
yet, although significant research into the subject has been performed
|
||
by multiple Bitcoin contributors and we expect peer-reviewed solutions
|
||
will become available after the publication of this((("digital signatures", "schnorr signature algorithm", startref="digital-sigs-schnorr")))((("schnorr signature algorithm", startref="schnorr")))((("digital signatures", "schnorr signature algorithm", "scriptless threshold signatures", startref="digital-sigs-schnorr-threshold")))((("schnorr signature algorithm", "scriptless threshold signatures", startref="schnorr-threshold")))((("scriptless threshold signatures", startref="scriptless-threshold-schnorr")))((("threshold signatures", "in schnorr signature algorithm", secondary-sortas="schnorr", startref="threshold-schnorr"))) book.
|
||
|
||
[[ecdsa_signatures]]
|
||
=== ECDSA Signatures
|
||
|
||
Unfortunately ((("digital signatures", "ECDSA", id="digital-signature-ecdsa")))((("ECDSA (Elliptic Curve Digital Signature Algorithm)", id="ecdsa")))for the future development of Bitcoin and many other
|
||
applications, Claus Schnorr patented the algorithm he discovered and
|
||
prevented its use in open standards and open source software for almost
|
||
two decades. Cryptographers in the early 1990s who were blocked from
|
||
using the schnorr signature scheme developed an alternative construction
|
||
called the _Digital Signature Algorithm_ (DSA), with a version adapted
|
||
to elliptic curves called ECDSA.
|
||
|
||
The ECDSA scheme and standardized parameters for suggested curves it could be used
|
||
with were widely implemented in cryptographic libraries by the time
|
||
development on Bitcoin began in 2007. This was almost certainly the
|
||
reason why ECDSA was the only digital signature protocol that Bitcoin
|
||
supported from its first release version until the activation of the
|
||
taproot soft fork in 2021. ECDSA remains supported today for all
|
||
non-taproot transactions. Some of the differences compared to schnorr
|
||
signatures include:
|
||
|
||
More complex::
|
||
As we'll see, ECDSA requires more operations to create or verify a
|
||
signature than the schnorr signature protocol. It's not significantly
|
||
more complex from an implementation standpoint, but that extra
|
||
complexity makes ECDSA less flexible, less performant, and harder to
|
||
prove secure.
|
||
|
||
Less provable security::
|
||
The interactive schnorr signature identification protocol depends only
|
||
on the strength of the elliptic curve Discrete Logarithm Problem
|
||
(ECDLP). The non-interactive authentication protocol used in Bitcoin
|
||
also relies on the random oracle model (ROM). However, ECDSA's extra
|
||
complexity has prevented a complete proof of its security being
|
||
published (to the best of our knowledge). We are not experts in
|
||
proving cryptographic algorithms, but it seems unlikely after 30 years
|
||
that ECDSA will be proven to only require the same two assumptions as
|
||
schnorr.
|
||
|
||
Nonlinear::
|
||
ECDSA signatures cannot be easily combined to create scriptless
|
||
multisignatures or used in related advanced applications, such as
|
||
multiparty signature adaptors. There are workarounds for this
|
||
problem, but they involve additional extra complexity that
|
||
significantly slows down operations and which, in some cases, has
|
||
resulted in software accidentally leaking private keys.
|
||
|
||
==== ECDSA Algorithm
|
||
|
||
Let's look at the math of ECDSA.
|
||
Signatures are created by a mathematical function _F_~_sig_~
|
||
that produces a signature composed of two values. In ECDSA, those two
|
||
values are _R_ and _s_.
|
||
|
||
The signature
|
||
algorithm first generates a private nonce (_k_) and derives from it a public
|
||
nonce (_K_). The _R_ value of the digital signature is then the _x_
|
||
coordinate of the nonce _K_.
|
||
|
||
From there, the algorithm calculates the _s_ value of the signature. Like we did with schnorr signatures, operations involving
|
||
integers are modulus p:
|
||
|
||
[latexmath]
|
||
++++
|
||
\begin{equation}
|
||
s = k^{-1} (Hash(m) + x \times R)
|
||
\end{equation}
|
||
++++
|
||
|
||
|
||
where:
|
||
|
||
* _k_ is the private nonce
|
||
* _R_ is the _x_ coordinate of the public nonce
|
||
* _x_ is the Alice's private key
|
||
* _m_ is the message (transaction data)
|
||
|
||
Verification is the inverse of the signature generation function, using
|
||
the _R_, _s_ values and the public key to calculate a value _K_, which
|
||
is a point on the elliptic curve (the public nonce used in
|
||
signature creation):
|
||
|
||
[latexmath]
|
||
++++
|
||
\begin{equation}
|
||
K = s^{-1} \times Hash(m) \times G + s^{-1} \times R \times X
|
||
\end{equation}
|
||
++++
|
||
|
||
where:
|
||
|
||
- _R_ and _s_ are the signature values
|
||
- _X_ is Alice's public key
|
||
- _m_ is the message (the transaction data that was signed)
|
||
- _G_ is the elliptic curve generator point
|
||
|
||
If the _x_ coordinate of the calculated point _K_ is equal to _R_, then
|
||
the verifier can conclude that the signature is valid.
|
||
|
||
[TIP]
|
||
====
|
||
ECDSA is necessarily a fairly complicated piece of math; a full
|
||
explanation is beyond the scope of this book. A number of great guides
|
||
online take you through it step by step: search for "ECDSA explained."
|
||
====
|
||
|
||
[[serialization_of_signatures_der]]
|
||
==== Serialization of ECDSA Signatures (DER)
|
||
|
||
Let's ((("serialization", "ECDSA signatures")))look at
|
||
the following DER-encoded signature:
|
||
|
||
----
|
||
3045022100884d142d86652a3f47ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb02204
|
||
b9f039ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e381301
|
||
----
|
||
|
||
That signature is a serialized byte stream of the _R_ and _s_ values
|
||
produced by the signer to prove control of the private key authorized
|
||
to spend an output. The serialization format consists of nine elements
|
||
as follows:
|
||
|
||
* +0x30+, indicating the start of a DER sequence
|
||
* +0x45+, the length of the sequence (69 bytes)
|
||
* +0x02+, an integer value follows
|
||
* +0x21+, the length of the integer (33 bytes)
|
||
* +R+, ++00884d142d86652a3f47ba4746ec719bbfbd040a570b1deccbb6498c75c4ae24cb++
|
||
* +0x02+, another integer follows
|
||
* +0x20+, the length of the integer (32 bytes)
|
||
* +S+, ++4b9f039ff08df09cbe9f6addac960298cad530a863ea8f53982c09db8f6e3813++
|
||
* A suffix (+0x01+) indicating the type of hash((("digital signatures", "ECDSA", startref="digital-signature-ecdsa")))((("ECDSA (Elliptic Curve Digital Signature Algorithm)", startref="ecdsa"))) used (+SIGHASH_ALL+)
|
||
|
||
[[nonce_warning]]
|
||
=== The Importance of Randomness in Signatures
|
||
|
||
As we((("digital signatures", "randomness, importance of", id="digital-signature-random")))((("randomness, importance in digital signatures", id="random-digital-signature"))) saw in <<schnorr_signatures>> and <<ecdsa_signatures>>,
|
||
the signature generation algorithm uses a random number _k_ as the basis
|
||
for a private/public nonce pair. The value of _k_ is not
|
||
important, _as long as it is random_. If signatures from the same
|
||
private key use the private nonce _k_ with different messages
|
||
(transactions), then the
|
||
signing _private key_ can be calculated by anyone. Reuse of the same
|
||
value for _k_ in a signature algorithm leads to exposure of the private
|
||
key!
|
||
|
||
[WARNING]
|
||
====
|
||
If the same value _k_
|
||
is used in the signing algorithm on two different transactions, the
|
||
private key can be calculated and exposed to the world!
|
||
====
|
||
|
||
This is not just a theoretical possibility. We have seen this issue lead
|
||
to exposure of private keys in a few different implementations of
|
||
transaction-signing algorithms in Bitcoin. People have had funds stolen
|
||
because of inadvertent reuse of a _k_ value. The most common reason for
|
||
reuse of a _k_ value is an improperly initialized random-number
|
||
generator.
|
||
|
||
To avoid this
|
||
vulnerability, the industry best practice is to not generate _k_ with a
|
||
random-number generator seeded only with entropy, but instead to use a
|
||
process seeded in part with the transaction data itself plus the
|
||
private key being used to sign.
|
||
This ensures that each transaction produces a different _k_. The
|
||
industry-standard algorithm for deterministic initialization of _k_ for
|
||
ECDSA is defined in https://oreil.ly/yuabl[RFC6979], published by
|
||
the Internet Engineering Task Force. For schnorr signatures, BIP340
|
||
recommends a default signing algorithm.
|
||
|
||
BIP340 and RFC6979 can generate _k_ entirely deterministically, meaning the same
|
||
transaction data will always produce the same _k_. Many wallets do this
|
||
because it makes it easy to write tests to verify their safety-critical
|
||
signing code is producing _k_ values correctly. BIP340 and RFC6979 both also allow
|
||
including additional data in the calculation. If that data is entropy,
|
||
then a different _k_ will be produced even if the exact same transaction
|
||
data is signed. This can increase protection against sidechannel and
|
||
fault-injection attacks.
|
||
|
||
If you are implementing an algorithm to sign transactions in Bitcoin,
|
||
you _must_ use BIP340, RFC6979, or a similar algorithm to
|
||
ensure you generate a different _k_ for each ((("digital signatures", "randomness, importance of", startref="digital-signature-random")))((("randomness, importance in digital signatures", startref="random-digital-signature")))transaction.
|
||
|
||
=== Segregated Witness's New Signing Algorithm
|
||
|
||
Signatures in((("digital signatures", "segregated witness and")))((("segregated witness (segwit)", "digital signatures and")))((("commitment hash"))) Bitcoin transactions are applied on a _commitment hash_,
|
||
which is calculated from the transaction data, locking specific parts of
|
||
the data indicating the signer's commitment to those values. For
|
||
example, in a simple +SIGHASH_ALL+ type signature, the commitment hash
|
||
includes all inputs and outputs.
|
||
|
||
Unfortunately, the way the legacy commitment hashes were calculated introduced the
|
||
possibility that a node verifying a signature can be forced to perform
|
||
a significant number of hash computations. Specifically, the hash
|
||
operations increase roughly quadratically with respect to the number of
|
||
inputs in the transaction. An attacker could therefore create a
|
||
transaction with a very large number of signature operations, causing
|
||
the entire Bitcoin network to have to perform hundreds or thousands of
|
||
hash operations to verify the transaction.
|
||
|
||
Segwit represented an opportunity to address this problem by changing
|
||
the way the commitment hash is calculated. For segwit version 0 witness
|
||
programs, signature verification occurs using an improved commitment
|
||
hash algorithm as specified in BIP143.
|
||
|
||
The new algorithm allows the number of
|
||
hash operations to increase by a much more gradual O(n) to the number of
|
||
signature operations, reducing the opportunity to create
|
||
denial-of-service attacks with overly complex transactions.
|
||
|
||
In this chapter, we learned about schnorr and ECDSA signatures for
|
||
Bitcoin. This explains how full nodes authenticate transactions to
|
||
ensure that only someone controlling the key to which bitcoins were
|
||
received can spend those bitcoins. We also examined several advanced
|
||
applications of signatures, such as scriptless multisignatures and
|
||
scriptless threshold signatures that can be used to improve the
|
||
efficiency and privacy of Bitcoin. In the past few chapters, we've
|
||
learned how to create transactions, how to secure them with
|
||
authorization and authentication, and how to sign them. We will next
|
||
learn how to encourage miners to confirm them by adding fees to the
|
||
transactions we create.
|
||
|
||
//FIXME: mention segwit v0 and v1 coverage of values to aid hardware
|
||
//wallets
|